Switching: Dynamic VLAN’s, VQP, and VMPS



This article continues the series on LAN switching and Cisco Catalyst switches. This article we’ll talk about dynamic VLAN’s, and explain what VQP and VMPS are, as well as how they work and how to configure them.

Prior articles in the series:


What are VQP and VMPS


We talked in a prior article about configuring ports to belong to a VLAN. This is the static approach to VLAN’s, where a port is always a member of a specific VLAN. You can also configure a port to dynamically determine what VLAN to belong to. Initially (and fundamentally) this process is tied to the MAC address of the end station on the port. Cisco is in the process of making this much more administrator-friendly (and useful!) by tying it into directory servers — more on that later.

There is a process whereby a switch with a dynamic port can query a server with end station information to find out what VLAN the port should be in. The query is done via VQP, VLAN Query Protocol. The query goes to a VMPS, VLAN Membership Policy Server. The VMPS was initially a Catalyst 5xxx, but this is in the process of changing to where the server is perhaps a workstation running URT, User Response Tool, and eventually to perhaps a Windows 2000 Active Directory Server.

The following are capable of being VMPS servers right now: supervisor software release 2.3 or later on Catalyst 5000 and 2926G series switches. Many of the Cisco switches are capable of being VQP-using clients with dynamic VLAN’s.

You can have several end stations on a dynamic port (using a hub), but they must all belong to the same dynamic VLAN. If there are more than 20 (29xx XL) to 50 (Catalyst 5xxx) end stations on a single port, the dynamic port will be shut down by the switch.


Configuring VMPS


Configuring VMPS is fairly simple, with only one minor surprise. (Troubleshooting it, however, may be a bit more complex).


Catalyst Set-Based Configuration


The basic command to start off with is


This tells the future VMPS server what TFTP server to get information from, and optionally what filename the information will be under. The default filename is vmps-config-database.1.

You then do a

(the alternative being disable), upon which the wannabe VMPS server will attempt to download the configuration database specified with the tftpserver command. If the TFTP download succeeds, then VMPS will become enabled. If the transfer fails, you’ll get an error message and VMPS will remain disabled. The download/enable process also takes place when you reboot the switch.

You can force a download of new VMPS server information to a server with the command

This also can be used to retry after a download fails.

To set up a set-based switch as a VQP client, you need to tell it who its VMPS server is. This is done with the command

You can do this up to three times, one primary and two backup VMPS servers. When the primary is down, it’s status will be checked every five (5) minutes. When it is back up, queries will again be sent to the primary first.

For there to be any point to having a client, you need to use dynamic VLAN’s. A port is made dynamic with the command

and the status will show up in the show port command output. Use the command

occasionally as the enabled (privileged) user, if you wish to have the switch reconfirm all dynamic port VLAN assignments.

The design intent appears to be for there to be a VMPS server for local switches, say switches sharing a VTP domain. The point here is: you probably do not want to have to reach your VMPS server through a router, and if you do, it is the one Layer 3 switching hop to the server farm on campus (more on this if I write a switched campus design article).

Other related commands:

clear vmps serverThis command deletes a VMPS server from the list of servers in the client switch.
clear vmps statisticsThis resets the VMPS statistics to zero.
show vmpsThis command produces a summary of VMPS configuration and status information, including whether VMPS is enabled or disabled, which station the VMPS server might be, what the TFTP server address is, and what the VMPS database filename is.
show vmps macThis command (on the VMPS server) shows the MAC to VLAN mapping table (the database). It also shows the last requestor, which tells you which switch and switch port last had the end station in question attached to it, also whether the request succeeded or was denied.
show vmps statisticsThis command displays VMPS-related statistics. It can be useful for troubleshooting, since it shows you VQP requests, denied requests, and also the MAC address of the end station associated with the last failed request.
show vmps vlan vlan-nameOn the VMPS server, this shows all MAC addresses for a VLAN in the VMPS configuration database.
show vmps vlanports vlan-nameOn a Catalyst 5xxx switch, shows the ports associated with the specified VLAN name.

Troubleshooting VMPS


Ways that VMPS can fail to start up:


  • Failure to configure the TFTP server address

There’s an error message to this effect, that shows up when you try to configure VMPS to be enabled. Do put the TFTP server address in!

  • Unable to contact TFTP server

When you enable VMPS, the switch might not be able to contact the TFTP server. Make sure the TFTP server is functioning (that is, it is up and running and that TFTP on it is working), then check routing and connectivity between the client switch and the TFTP server.

  • The configuration file isn’t found on the TFTP server.

Check case and spelling of the name on both ends, switch and TFTP server.

  • Enable failure due to inadequate resources.

You’re out of RAM on your switch, dude!


Ways VMPS/VQP and dynamic VLAN’s can fail:


  • Client needs to see the attached endstation.

Check for link light, and check that the endstation is transmitting. (If it is not transmitting, the switch cannot learn its MAC address).

  • Client to server query.

The client and server need to be able to send IP UDP packets between each other. Test with ping. Since you’re probably not doing this through a router, traceroute should be irrelevant.

  • Client needs to get a positive reply back.

If the client does not get a reply back, or if the reply that does come back is a denied response, then (see below) the client is placed in a default VLAN or the port is disabled. If you don’t know this, you’ll think there are a link or switch port problems instead!


IOS-Based Configuration (2900 XL Series)


The IOS-based XL switches are currently VQP but not VMPS capable (nor does it appear VMPS functionality will be added to them, they primarily edge switches).

To specify the VMPS server, use the configuration command

vmps server ipaddress [primary]

To check the effect of this, try

To make an interface (port) dynamic instead of static, configure

You can check this with

To have the switch re-check the dynamic port VLAN assignments, use the EXEC mode command

The default reconfirms interval is 60 minutes. The default number of retries on a VQP query is 3. You can configure these with


VMPS Configuration Database


Here is a sample of the VMPS configuration database file that a VMPS server might download from a TFTP server. Note that the syntax is not well documented. The file must start with the VMPS domain name, which must match the VTP domain (including case). Do NOT capitalize “vmps“, the file contents are case-sensitive (and in at least some of the Cisco documentation I’ve seen, the Marketing Communications rewrite capitalized “vmps” as the name of the protocol/acronym).

The second line of the sample below specifies security mode, which can be either open or secure. In secure mode, an unknown MAC address causes the port to be shut down. In open mode, unknown MAC addresses are assigned to fallback (default) “unsecure” VLAN, specified with the vmps fallback line. The default mode is open. You can also specify whether requests with no VTP/VMPS domain are allowed or denied. By the way, when unknown MAC addresses or denied situations occur, the switch can send an SNMP trap to your SNMP trap receiver (management station). This might be useful for tracking the use of unauthorized PC’s in a campus environment (provided that’s something you care to manage).

This section of the configuration database file is followed by the list of MAC addresses and VLAN names:

Note that “–NONE–” is a way of excluding an untrusted MAC address: the VMPS server will send a denied response to any queries.

You can apparently specify what devices are allowed on what ports (I haven’t tried this). Note that quotes are used when the name contains a space.

You can then create groups of VLAN (names) and then policies as to which VLAN’s are allowed on which ports (using the above port-groups):